CyberArmor Builds a System for Personal Firewalls

Remember when only a few forward-thinking individuals installed virus
checkers on their desktop PC's? Now, managed desktop and mail server anti-virus
programs are a must. While anti-virus products on every desktop are routine,
firewalls are not. Traditional perimeter-based firewalls can do a lot
to protect your network from outside attack, but protection is also needed
at the individual host. Traveling users with corporate laptops, telecommuters
and even computers that never leave the office are all subject to many
types of intrusions. Some of the most nefarious attacks come in the form
of executable attachments, downloaded files, and unauthorized local host
shares and web servers.

But if we have to manage anti-virus products because we can't get users
to download simple anti-virus updates; how will they respond to pop-up
intrusion detection alerts? You guessed it, they'll call us all in a panic.
I shudder to think about that. And how will we handle the flood of calls
and potential disasters that turn out to be notifications that the firewall
is doing its job?

CyberArmor seeks to provide the answers to these questions. For this
review I installed the just-shy-of-release version 2.0 CyberArmor suite
in a test network and put it through its paces.

CyberArmor's strength is centralized policy management. This is accomplished
by providing not one, but four components (see figure). The CyberArmor
client runs on individual PCs. The CyberServer is a database which receives
notifications of alarm conditions from the CyberArmor client. Policy Manager
($995 each) is used to create profiles to install on hosts. CyberConsole
($295/seat) can be used to view the database.

To understand CyberArmor you must picture the suite
components in your network. The CyberArmor client is configured via
a profile from the Policy Manager. Once installed on the client system,
the profile blocks the activity designed into the policy. Alarms and
notifications can be sent to the CyberServer, a database prepared
just for them. You use the CyberConsole to view the activity in the
database. (Click image to view larger version.)

The key to making this product work in your environment is your understanding
of the policies. Sample policies are included, as are instructions for
writing rules. Many rules vary little from basic packet filters; others
allow blocking of types of files, specific files, or merely require logging
of the suspicious activity you identify. You use Policy Manager to view
example rules and policies, and to create your own. Completed policies
and basic configuration information are then built into profiles. These
profiles become the CyberArmor client when installed on a host system.
Profiles can be installed on clients from a network share, or placed on
a floppy disk and installed locally. The profile's configuration is password
protected. The typical user, of course, should not be adjusting the policy,
or stopping its use. Fortunately, changes to policy rules cannot be made
from the client system. You can create multiple profiles, each one appropriate
for a different group of users.

Once installed, policies can be automatically updated by simply placing
new configuration files in the preconfigured web server download area.
You can choose whether to auto-download or prompt the user during profile
creation. To prevent successful spoofing of a new profile, the downloadable
new profile file can be signed. An unsigned or incorrectly signed profile
will then be rejected by the client.

If you have few users and do not wish to log alarms and notifications
to a central database, your installation of the suite stops here. However,
though notifications and alarms can be logged in a local file, and alarms
create event log entries, it might be difficult to manage any large number
of users this way. CyberServer, which installs an Access database for
its use (but can be configured to use your Oracle database server) eases
the task. You can install the CyberConsole on the same system as the CyberServer
to see data in broad views, or filtered by user, group, or information
type. Client installation information is also recorded in the database.

My examination of CyberArmor was basic but showed me enough that I will
want to look at it in more detail later. I was able to get the suite up
and running. I found the process a little rough around the edges, but
much of that can be attributed to the difficulties in installing a complete
suite of new products under less than ideal circumstances and my early
attempt to attack clients from the CyberServer system. Can you guess what
happened? My attacks were unsuccessful and provoked CyberArmor to block
any access from or to my IP address for a short period of time. Since
I had configured frequent updating of the database the CyberClient's attempts
to upload new alarms was blocked - just as it should have been.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.